From 1803559c4ee407d0bcbf2a67dbe96690cee869d2 Mon Sep 17 00:00:00 2001
From: Alexei Podtelezhnikov <apodtele@gmail.com>
Date: Wed, 22 Apr 2026 20:49:51 -0400
Subject: [PATCH] * src/truetype/ttinterp.c (Ins_SHZ): Fix the range limit.

Fixes #1419 and #1420, as well as
    https://issues.oss-fuzz.com/issues/499455833
---
 src/truetype/ttinterp.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c
index fc7fccdf3..abb8f13aa 100644
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -5132,13 +5132,11 @@
     /* XXX: UNDOCUMENTED! SHZ doesn't move the phantom points.     */
     /*      Twilight zone has no real contours, so use `n_points'. */
     /*      Normal zone's `n_points' includes phantoms, so must    */
-    /*      use end of last contour.                               */
+    /*      subtract them.                                         */
     if ( exc->GS.gep2 == 0 )
       limit = exc->zp2.n_points;
-    else if ( exc->GS.gep2 == 1 && exc->zp2.n_contours > 0 )
-      limit = exc->zp2.contours[exc->zp2.n_contours - 1] + 1;
     else
-      limit = 0;
+      limit = exc->zp2.n_points - 4U;
 
     /* XXX: UNDOCUMENTED! SHZ doesn't touch the points */
     for ( i = 0; i < limit; i++ )